Apache Ambari

CVE-2015-1775Apache Ambari Server Side Request Forgery vulnerability
Vendor: The Apache Software Foundation
Versions Affected: 1.5.0 to 2.0.2
Versions Fixed: 2.1.0
Severity: Important
Product description:

The Apache Ambari project is aimed at making Hadoop management simpler by developing software for provisioning, managing, and monitoring Apache Hadoop clusters. Ambari provides an intuitive, easy-to-use Hadoop management web UI backed by its RESTful APIs.

Vulnerability description:

Apache Ambari uses a URL address parameters to communicate with Ambari agents. Server sends a HTTP request with query to particular agent and in return it gets the queried data. Basically it is achieved by a HTTP proxy, where Ambari server works as the proxy. By manipulating the query parameters send in the URL (host, path, port, query string) one can communicate with other interfaces accessible from the Ambari server, not only Ambari agents. Most of those interfaces is accessible only from the Ambari server. It is a case of Server Side Request Forgery vulnerability.

Test case:

Ambari server uses a proxy mechanism to ask each Ambari agent about some data. The implementation of the proxy mechanism is located in ProxyService class from package org.apache.ambari.server.proxy.
Sample HTTP request and response to proxy looks is listed below (user have to be logged into Ambari, call is made from Jobs list):

GET /proxy?url=http://test.locald:8188/ws/v1/timeline/HIVE_QUERY_ID?limit=1&secondaryFilter=tez:true&_=1424180016625 HTTP/1.1
Host: test:8081
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-By: X-Requested-By
X-Requested-With: XMLHttpRequest
Referer: https://test:8081/
Cookie: AMBARISESSIONID=7uhwwcsyrl435zxqg31jfjt6
Connection: keep-alive

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 15
Server: Jetty(7.6.7.v20120910)
{"entities":[]}


Exploitation conditions:

An attacker needs to have a normal user account in Ambari.

Vulnerability consequences:

* access other servers (change test.locald to something else), which can be otherwise inaccessible by the user
* access HTTP services running on other ports (change 8188 to some other port number) which can be used to two things:
* interact with those HTTP services (HTTP POST request are passed as well)
* port scan entire server and discover HTTP services running
* hide source IP of the user when interacting with other servers (Ambari IP will be seen on the targeted server)

Timeline:

09.03.2015 - vendor notified
10.03.2015 - vendor initial response
09.04.2015 - vendor acepted this as an issue and decided to fix
09.10.2015 - patches available
13.10.2015 - public disclosure

Links:

CWE-918: Server-Side Request Forgery (SSRF)
Ambari vulnerabilities
[CVE-2015-1775] Apache Ambari Server Side Request Forgery vulnerability

Mateusz Olejarka

Other articles